Re: [TLS] Bakeoffs
Trevor Perrin <trevp@trevp.net> Wed, 16 April 2014 23:22 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA7E21A03D6 for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 16:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PpUXLBe20kGG for <tls@ietfa.amsl.com>; Wed, 16 Apr 2014 16:22:01 -0700 (PDT)
Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by ietfa.amsl.com (Postfix) with ESMTP id 938841A02E2 for <tls@ietf.org>; Wed, 16 Apr 2014 16:22:01 -0700 (PDT)
Received: by mail-wg0-f50.google.com with SMTP id x13so11429659wgg.21 for <tls@ietf.org>; Wed, 16 Apr 2014 16:21:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=5aaPBmUhZIe7ev1QHWXuabx9HoBA7msZGOw1EiNsMoQ=; b=mdFvl5B7MPFN2Dv+RNDPQ6e4rh9nlXB21eK44b+uxhmQ647yLmJ3VgVcrxsgo3HuLD UhQlQPWRMGkxYOMjoLqS3BgPxNZKvxub++lfVfK751WAO9OQ4toxqk1JzaP2/VGAgzyk EzscJ2sv4R3GuIs/SSqlhcUTuND67vElv1G5scfL//Q0cibxD3GEjYoVVKX7wcIDR5Td hDs3u30uyDiwpKfo0ijulaBjXxFZYJlDwHamPhovYikfiYHlwsu4ZkghRwQTa1t4zNyU c7j58mVpiOOfS3OI1JSjvttA9ZMJrZUPcQWQfj7wdIFtFQt1kUw82rAP5PzKOxNEN+Co MDTg==
X-Gm-Message-State: ALoCoQkrmpgbB3dufpJ6meKu9khU+iUm4XDhWXvbOiM88im4GTUYb0n4f+W0EeqF5yBoErUEeKDv
MIME-Version: 1.0
X-Received: by 10.180.106.132 with SMTP id gu4mr8887361wib.26.1397690517814; Wed, 16 Apr 2014 16:21:57 -0700 (PDT)
Received: by 10.216.45.146 with HTTP; Wed, 16 Apr 2014 16:21:57 -0700 (PDT)
X-Originating-IP: [173.11.71.217]
In-Reply-To: <534F09D6.1060308@akr.io>
References: <FAD11A6F-DB65-4797-89C2-022DCDED266F@iii.ca> <CACsn0ck5u_Sy7tvAbiT0mwRz0rkw4ZBW23F3R8qBV0urFEq21w@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C7120B4905A5@USMBX1.msg.corp.akamai.com> <CAGZ8ZG1C8L1LW=H__FCiuK-Ywq_c63-pxW39QoCR6f0k1wd2Xg@mail.gmail.com> <534F09D6.1060308@akr.io>
Date: Wed, 16 Apr 2014 16:21:57 -0700
Message-ID: <CAGZ8ZG0kCxBa44cSrwF9kjsutp=ooR3QV98OWueFBZga79tMHA@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Alyssa Rowan <akr@akr.io>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/pjqb-MvtENjxtQciXE7adAPz_gw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Bakeoffs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Apr 2014 23:22:06 -0000
On Wed, Apr 16, 2014 at 3:53 PM, Alyssa Rowan <akr@akr.io> wrote: > > On 16/04/2014 01:46, Trevor Perrin wrote: > >> Maybe this argues for Adam Langley's earlier suggestion (also >> endorsed by a few others) that we focus on a TLS 1.3 that is a >> "tidying up" of 1.2, and push the larger goals (e.g. redesigning >> handshake for lower-latency or more encryption) to a TLS 2.0? > > On reflection, I think I may favour this approach, yes: > > * Keeping TLSv1.3 a cleaned-up v1.2 with better, faster, forward-secure > baseline of fast, constant-time ECDHE and AEADs, legacy/broken lint > removed, bugs fixed and downgrade protection, and getting that out > fairly promptly; > > and, > > * Following that with a TLSv2.0 process in which we look at the far > more radical and challenging changes: handshake improvements, > ClientHello/SNI encryption, perhaps a complete redesign. Perhaps we could do both in parallel? - * Start work now on a TLS 1.3 that is a cleaned-up / stripped-down profile of TLS 1.2, without major handshake changes or new features, aiming to finish in a few months. * Place a call for proposals for TLS 2.0, with the intent of choosing one as a WG item within 4-6 months. --- I hear the concern that people don't want a "clean-slate" or "revolutionary" redesign of TLS, they just want to quickly make the "minimal" changes to 5246 that meet our charter. I'd encourage such people to re-read the charter, and look at Eric's 1.3 draft. The goals and designs being considered are *already* a radical break from your parent's TLS. We'll have complex, difficult debates involving competing visions for TLS regardless of what process we choose. Having different proposals is not going to create this problem. But it will help us navigate it, by making it easier to compare the implications of inter-related design decisions. Here's an example of the questions we have to resolve, and which I think will be hard to handle with individual consensus calls if we don't have a holistic picture of what we're choosing: (1) Can pre-delivered public keys (via DNS? html? other?) be used to encrypt the handshake or even app data (e.g. Andy Lutomirski's "handshake keys" for protecting SNI, or "semi-static public keys" for 0-RTT initial connections)? (2) Should 0-RTT reconnection be achieved via a traditional session-ticket flow, or through a new flow based on caching a semi-static public key? (3) For either sort of zero-RTT reconnection, how do we design an "anti-replay" capability which is practical and scaleable, and doesn't leak tracking info? (4) For zero-RTT cases, should we overlay an additional DH exchange on the 1st RT to increase forward secrecy for subsequent data? Or should this be accomplished by a more general re-handshake capability? (5) Assuming we go with the zero-RTT semi-static key approach for reconnection, should we also re-implement the initial handshake in terms of it (i.e. spend the 1st RT to retrieve the semi-static key), which makes things simpler but otherwise is less optimal than retrieving a fresh ephemeral? (6) Should we stick with a signed-DH key agreement, or consider alternatives (e.g. SKEME, MQV, NTor, TripleDH, other?). (7) Should client auth be integrated into the handshake or moved to a post-handshake, channel-bound layer? (8) Should the protocol be integrated (somehow) with TCP or a TCP replacement (e.g. QUIC, MinimaLT, TCPcrypt)? (9) What should be done to minimize tracking / info-leaks in the protocol (e.g. remove / randomize session tickets / SessionIDs, remove other options, Elligator-type indistinguishability, more padding)? (10) Stylistic decisions: - choice of ciphersuites? - preserve TLS message formats or replace them? - larger extension spaces? (end the 16-bit suffering!) etc.... Trevor
- [TLS] Bakeoffs Cullen Jennings
- Re: [TLS] Bakeoffs Russ Housley
- Re: [TLS] Bakeoffs Watson Ladd
- Re: [TLS] Bakeoffs Martin Thomson
- Re: [TLS] Bakeoffs Yoav Nir
- Re: [TLS] Bakeoffs Martin Thomson
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Yoav Nir
- Re: [TLS] Bakeoffs Cullen Jennings
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Watson Ladd
- Re: [TLS] Bakeoffs Cullen Jennings
- Re: [TLS] Bakeoffs Paul Lambert
- Re: [TLS] Bakeoffs Juho Vähä-Herttua
- Re: [TLS] Bakeoffs Nikos Mavrogiannopoulos
- Re: [TLS] Bakeoffs Juho Vähä-Herttua
- Re: [TLS] Bakeoffs Alfredo Pironti
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Eric Rescorla
- Re: [TLS] Bakeoffs Alyssa Rowan
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Martin Thomson
- Re: [TLS] Bakeoffs Mark Nottingham
- Re: [TLS] Bakeoffs Andrei Popov
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Mark Nottingham
- Re: [TLS] Bakeoffs Adam Langley
- Re: [TLS] Bakeoffs Patrick McManus
- Re: [TLS] Bakeoffs Watson Ladd
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Nikos Mavrogiannopoulos
- Re: [TLS] Bakeoffs Nikos Mavrogiannopoulos
- Re: [TLS] Bakeoffs Michael Sweet
- Re: [TLS] Bakeoffs Patrick McManus
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Michael Sweet
- Re: [TLS] Bakeoffs Trevor Perrin
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Michael D'Errico
- Re: [TLS] Bakeoffs Salz, Rich
- Re: [TLS] Bakeoffs Sean Turner
- Re: [TLS] Bakeoffs Juho Vähä-Herttua
- Re: [TLS] Bakeoffs Alfredo Pironti
- Re: [TLS] Bakeoffs Cullen Jennings
- Re: [TLS] Bakeoffs Cullen Jennings